Nearly Three-Quarters of UK Unis Are Phishing Victims

Some 70% of UK universities have fallen victim to phishing attacks, according to new data from Duo Security.

The vendor submitted Freedom of Information (FoI) requests to 70 universities late last year and received responses from 51.

Some 72% said they had fallen victim to a phishing email over the past 12 months.

Even more worryingly, 12 universities said they’d been hit by such attacks over 10 times in the period, and seven claimed they’d been struck more than 50 times.

These included unis running GCHQ-certified degree courses, such as Oxford, Duo Security claimed.

Action Fraud has alerted educational institutions in the past about the dangers of phishing.

In May last year it warned of a new campaign in which students received an email purporting to come from their finance department, telling them they’d been awarded a grant and asking for their bank account details.

Then in February this year another Action Fraud missive alerted university staff to more than 100 reports of victims receiving bogus pay rise emails.

The phishers this time claimed to be emailing from the university HR department, in a bid to collect staff financial details by claiming they were in for a pay rise.

“The findings reveal that universities – staff and students – make popular targets for these attacks, which leaves them vulnerable to all kinds of security risks,” argued Duo Security EMEA vice president, Henry Seddon.

“They open the doors to hackers, with stolen credentials, to access an organization’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware onto an organization’s network.”

Universities are of course not alone in being targeted by phishing attacks.

The 2017 Verizon Data Breach Investigations Reportout this week revealed phishing is now present in a fifth (21%) of attacks, up from just 8% the previous year.

As Seddon explained, phishing isn’t just targeted at victims’ financial details; it can be an easy way for cybercriminals or state-sponsored hackers to get hold of valuable log-ins.

Some 81% of hacking-related breaches succeed through stolen, weak or easy-to-guess passwords, according to Verizon.

Credential phishing of webmail accounts was revealed by Trend Micro this week as one of the main ways infamous Russia-linked APT group Pawn Storm infiltrates victim organizations.